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Abstract. Private handshaking allows pairs of users to determine which 
(secret) groups they are both a member of. Group membership is kept 
secret to everybody else. Private handshaking is a more private form of 

\^ . secret handshaking [BDS^OS], because it does not allow the group ad- 

jy! ' ministrator to trace users. We extend the original definition of a hand- 

^ , shaking protocol to allow and test for membership of multiple groups 

simultaneously. We present simple and efficient protocols for both the 
single group and multiple group membership case. 
Private handshaking is a useful tool for mutual authentication, demanded 

^!^ ' by many pervasive applications (including RFID) for privacy. Our im- 

r~^ I plementations are efficient enough to support such usually resource con- 

C^ ■ strained scenarios. 

(^ ■ 1 Introduction 

00 ■ 

^^ ' A secret handshake allows members of a (secret) group to identify each other, 

without reveaUng their membership to potential eavesdroppers or malicious im- 
postors. As an informal example taken from the real world, it would allow FBI 
agents attending a hacker convention to recognise each other without giving 
C^ ' away their presence to the rest of the audience^ . 

Several years ago, Balfanz et al. [BDS+03] revived interest (e.g., [CJT05]) 
in the development of secure (cryptographic) protocols to implement such secret 
handshakes. According to them, secret handshakes are fundamentally different 
from one-way accumulators \QWX\] and private matchmaking [BG85, Moa86, 
ZN] (not to be confused with distributed match making [A1V88]). We show that 
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^ This, off course, is not withstanding the use of any other distinctive features to 'spot' 

a typical FBI agent. Moreover, in this scenario, where all people present belong 

essentially to just two groups, non-membership of one group 'proves' membership of 

the other. . . 
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this distinction is only superficial (depending on a particular notion of traitor 
tracing), and that much simpler protocols, derived from the literature on match- 
making (and pretty much equivalent to one-way accumulators) serve equally well 
as secret handshake protocols. We call these protocols private handshaking pro- 
tocols. 

Such private handshaking protocols (that, unlike secret handshaking, do not 
implement traceability) are quite suitable to resource constrained environments, 
like low-end smart card, RFID or NFC-based^ systems [RE03, Fin03]. Moreover, 
they implement a form of mutual authentication that is sorely needed in many 
pervasive systems [WSRE03, HHJ+OG]. For instance, the privacy of a holder of 
an RFID tag is better protected if the reader must authenticate to the tag before 
the tag releases any information. A private handshaking protocol could ensure 
that the tag would only grant access if the reader and the tag belong to the same 
group. 



1.1 State of the art 

Private matchmaking protocols, originally studied by Baldwin and Gramlich [BG85] 
(and followed up upon by Zhang and Needham [ZK]), allow users that share 
the same 'wish' to locate and identify each other securely and privately. The 
canonical example used in both papers is that of matching job openings at big 
corporations with high-ranked managers looking for their next job opportunity. 
In this example a corporation will not want to publicly announce availability of 
a position, and similarly, a high-ranked manager will not want to reveal his or 
her job aspirations to everybody. The protocol of Baldwin and Gramlich [BG85] 
requires the presence of an on-line trusted third party. Zhang and Needham [ZN] 
improve on this by not using a trusted third party at all, and not using public-key 
cryptography either (making their protocol very light-weight). 

Secret handshaking protocols, as studied by Balfanz et al. [BDS+03] consider 
membership of a secret group instead, and allow members of such groups to reli- 
ably identify fellow group members without giving away their group membership 
to non-members and eavesdroppers. An example of this problem was given in the 
introduction. Balfanz et al. also pose the additional requirement that a group 
member can choose to authenticate to other group members that have a certain 
role within that group. Furthermore, they require that group membership is re- 
vocable, and that the protocols are forward repudiable, traceable and collusion 
resistant (see section 2.2 for details). Their protocols are secure under the Bi- 
linear Diffie-Hellman assumption [BFOl] and the random oracle model [BR93b]. 
They require that each user periodically obtains fresh pseudonyms from the 
group administrator, for use in a handshake protocol run. 

Their results were later improved by Castelluccia et al. [CJT05] with pro- 
tocols based on CA-Oblivious encryption secure under the random oracle model 



^ RFID stands for Radio Frequency IDentification. NFC stands for Near Field Com- 
munication. See the references for more information. 
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and either the Computational Diffie Hellnian assumption or the RSA assump- 
tion [MOV96] . Like Balfanz et al. , unhnkabihty in their protocols is achieved at 
the cost of an ample supply of fresh pseudonyms used one by one in every proto- 
col run. Also, both protocols assume the existence of a group administrator that 
distributes group secrets to group members, and that can discover any traitors. 
Unfortunately, this also implies that the administrator can discover all instances 
of a protocol run in which a particular user participated"'* . This is clearly a strong 
breach of privacy. 

Tsudik and Xu [TX05] extend the secret handshaking problem to more than 
2 participants (but still determining shared membership of a single group) , and 
present protocols solving this generalisation with reusable credentials. This re- 
moves the main drawback found in previous protocols. Xu and Yung [XY04] 
previously achieved a similar reusability of credentials. 

Meadows [Mea86] built a matchmaking protocol without relying on an on-line 
trusted third party (but using public key cryptography, cf. [ZK]). Interestingly, 
she studied the matchmaking problem in the secret handshake setting: i.e., she 
considered secret group membership instead of communicating wishes. The dif- 
ference between both is subtle, but important (see [BDS+03]): if the wish can be 
guessed, then (by definition of the matchmaking problem that any pair of users 
sharing the same wish can identify each other) the owner of that wish can be 
identified. Similarly, if 'secret' group names are used as input to matchmaking 
protocols, then anybody able to guess the group name can locate the other, real, 
group members, and moreover can impersonate a group member. 

In a similar vain, set intersection protocols [FNP()4, KS05] are subtly different 
from private handshaking protocols as well. Typically, the domains of the sets 
over which the intersection has to be computed is much smaller, and in any 
case, any element in the domain is a possible member. For private handshaking 
protocols, however, group membership is encoded by a secret value from a much 
larger, sparsely occupied, domain. Moreover, not all set intersection protocols 
require the outcome of the computation to be secret. A more thorough discussion 
of the relationship between secret handshaking, oblivious encryption/signatures 
and hidden credentials can be found in [Ho 105]. 

1.2 Our results 

We define the private handshaking problem as a more private form of secret 
handshaking [BDS+()3], that does not allow a group administrator (or anyone 
else) to trace users running the protocol. This makes private handshaking a more 
private form of secret handshaking. Our model and definitions are described 
in Sect. 2. The main contribution of this paper is the conclusion that, when 



^ In the current implementations of these protocols, this is trivial because the parties 
exchange pseudonyms initially distributed by the group administrator. More fun- 
damentally, this could be achieved in full generality by running the traitor tracing 
protocol on a normal protocol run. By definition, this this would reveal the parties 
involved (provided they were members of the group) . 
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dropping traccability, much more efficient implementations of handshaking are 
possible. This makes such protocols viable for resource constrained environments, 
like RFID or NFC-based systems. 

We extend the definition of handshake protocols to handle the (much more 
common) case where people are members of several groups. Using existing, 
single-group, handshaking protocols Alice and Bob (member of a and b groups 
respectively) can do no better than running axb handshake protocols in parallel 
to determine all the groups that they share membership of. We show that, in 
fact, 0{a + b) type protocols exist. 

We then present two protocols for private handshaking, one for the case 
where Alice and Bob are members of a single group (Sect. 3), and another 
where Alice and Bob are a member of any number of groups each (Sect. 4). 
Both use a single Diffie-Hcllman key exchange [DH7G] and exchange as many 
hashes as the largest number of allowed group membership per user**. Security of 
the protocols relies on the Difhe-Hellman assumption [M0V9()] and the random 
oracle assumption [BR93b]. 

2 Model and notation 

2.1 System and adversary model 

We assume a distributed system of n nodes, connected by asynchronous message 
passing. Nodes can be members of zero, one or more groups G ^ Q. There are 
m different groups. We write i e G if node i belongs to group G, and Qi for the 
set of all groups to which node i belongs. We assume group membership is fixed 
and part of the initialisation of the system. We will discuss the ramifications of 
this assumption later on in Sect. 5. 

The system is controlled by a Dolev and Yao [DY81] style adversary A that 
may block, delay, relay, delete, insert or modify messages. This allows him to 
force nodes to participate in a protocol run together with other nodes specified 
by the adversary^. The adversary may also corrupt any number of nodes in 
the system, read all data stored by such nodes, and participate in protocol runs 
"being within" such nodes. Nodes and the adversary are modelled as probabilistic 
polynomial-time Turing machines. We write A & G ii the adversary corrupted 
a member of group G, and Qj^ for the set of all groups for which the adversary 
corrupted a node. If a node i is corrupted we write i ^ A. In this case Qi is 
assumed to be a subset of Qj\^. Uncorrupted nodes are honest. 

In other words, the adversary induces a sequence of message exchanges and 
protocol steps called a run. At the start of each run, all nodes are initialised. 



Balfanz et al. [BDS^O.3] argue that a DifHe-Hellman key exchange cannot be used to 
implement secret handshaking. Their argument however depends on the requirement 
that individual members of a group need to be traceable, and hence does not apply 
to private handshaking protocols. 

Bellare et al. [BR93a, BPROO] model the same adversarial power by allowing the 
adversary to query an infinite supply of protocol oracles. 
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In this phase, nodes may be given long term secret data needed to securely run 
the protocol. However, the adversary may subvert any number of nodes and 
retrieve this secret information stored by them. Finally, the adversary may force 
any node to reveal any secret information resulting from a particular protocol 
exchange. Typically, this involves a session key established by the protocol. 

2.2 The private handshake problem 

We have the following set of requirements (cf. [BDS+03, TX05]) for a private 
handshake protocol run between two nodes i and j, belonging to groups Qt and 
Oj that returns output Oi to i and Oj to j. All statements below hold with 
overwhelming probability, for arbitrary adversary A, for an arbitrary group G 
and nodes i, j. 

correctness/safety Oi, Oj Q QiO Gj- 

progress If i and j are honest and all messages exchanged between them during 
the run are delivered unaltered, Oi = Oj = Qi n Qj. 

resistance to detection Let j € A but A ^ G. Then the adversary A cannot 
distinguish a protocol run in which it interacts with a node i € G from a run 
involving a simulator''. 

indistinguishabiUty to eavesdroppers Let i,j ^ A. Then the adversary A 
cannot determine whether i G G or i ^ G. This holds even if ^ G G. Note 
that both participants in the run need to be uncorrupted, and that the 
adversary does not modify^ messages exchanged between i and j. 

unlinkabiUty Adversary A is unable to distinguish a protocol run involving 
node i from a protocol run involving a node j ^ i with Qj = Qi, even when 
Q_/^ = Qi and A participates in the protocol runs*^. 

forward repudiability After the run, node i cannot convince another node k 
whether j G G or not. In other words, a run between i and j is indistinguish- 
able from a run between i and i, for anyone except i. 

Traditionally, the following two requirements are listed as well. 

resistance to impersonation Let j € A but A ^ G. Then the adversary is 

not able to convince a node i € G that A & G. 
non traceabiUty The group administrator of group G is unable to link two 

different protocol runs involving the same node i £ G. 



Note how this requirement subtly circumvents the problem that the adversary does 
learn non-membership of i of the groups it is itself a member of (by corruption or 
otherwise) . 

The powers of the adversary are limited to eavesdropping in this case. Clearly, an 
active adversary belonging to the same group as i can stage a man-in-the-middle 
attack and determine membership of G for i just like a legitimate node j could. 
The statement of this requirement is a bit involved because technically, an adversary 
can distinguish different nodes from the groups they are a member of, if the adversary 
itself is a member of those groups and if it participates in the runs. Intuitively, the 
requirement simply says that protocol runs do not carry node identifiers or similar. 
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However, resistance to impersonation is actually implied by correctness and the 
definition of Qi when i is corrupted. And non-traceability is equivalent to un- 
linkability if the group administrator is missing (or considered to be a normal, 
corruptible, node). We therefore omit these requirements from the list. 

We refrain from imposing a fairness requirement (cf. [BDS"'"03]) which would 
require Oi = Oj always. Fairness can be guaranteed, but at the expense of 
running a complex fair exchange type protocol. 

Similarly, we do not require the protocol participants to set up a shared 
session key to be used whenever mutual authentication was successful. The pro- 
tocols we present, however, do establish such a shared key. 

Finally, we note that Meadows [Mea86] stipulates that an adversary that 
has stolen a secret from a group member cannot find out membership of the 
someone else without at least revealing group membership. This is similar to the 
resistance to impersonation requirement, when fairness is guaranteed. Otherwise, 
it will only hold when the adversary initiates the handshake. 

3 Single membership protocols 

We first present a protocol to determine shared membership of a single group. 
This protocol is basically a Diffie Hellman key exchange using a secret generator s 
as the group secret, and using the key validation phase as group membership test. 
The validated key can be discarded or used for secure communication between 
the authenticated parties. In fact, the protocol is very similar to SPEKE [Jab96], 
and Meadows [Mea86] basic protocol idea (but without exchanging the secret 
session key in the clear, instead using a key verification round as in [BPROO]). 

3.1 Security proof 

The following lemmas prove that protocol 1 implements private handshaking. 
We only sketch the proofs. Consider an arbitrary run between two nodes i and 
j, belonging to groups Qi = {Ga} and Gj = {Gb} where i returns output Oi 
and j returns output Oj. Let A be an arbitrary adversary, and let G be an 
arbitrary group. A property holds with overwhelming probability if it holds with 
probability larger than 1 — 1/2'^, where a is the security parameter. It holds with 
negligible probability if the probability is less than 1/2'^. 

Lemma 3.1 (correctness/safety). Oi,Oj C Qi DQj with overwhelming prob- 
ability. 

Proof. Clearly the protocol ensures Oi C Qi. We have Ga £ Oi when hc,{u^) = 
h^[vy). This happens only, with overwhelming probability, when u^ = v^, in 
other words (s)^)^ — i-^a)^- This holds only with overwhelming probability when 

Sa = Sb. □ 

Lemma 3.2 (progress). // i and j are honest and all messages exchanged 
between them during the run are delivered unaltered, then Oi = Oj = Qi n Qj . 
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Alice 

group Ga 

group secret Sa 

(or random if none) 



Bob 

group Gi 

group secret s^ 

(or random if none) 



Exchange 



pick random x 



Key validation 



receive m *- 

if m' = h5{u'') 

then Oa = {Ga} 

else Oa = <D 

A;:=/i3(w") 



(Sa)" 



receive u ^ 



(St,)" 



;i4(u^) 



h^ivy) 



pick random y 
receive v 



receive m 
if 771 = h4,{v^) 
then Ob = {Gb} 
else Ot = 



fc — /l3(«'') 



Fig. 1. Message flow of the single membership private handshaking protocol. 



Proof. This is easily verified by case analysis. 



D 



Lemma 3.3 (resistance to detection). Let j ^ A but A ^ G. Then the 
adversary A cannot distinguish a protocol run in which it interacts with a node 
i £ G from a run involving a simulator with non-negligible probability. 

Proof. The adversary has to distinguish s^ from g^ given /^ for / known to the 
adversary, where x is fresh, random and unknown to the adversary. Moreover, Sa 
is unknown to the adversary (but it may know many s^, for fresh and unknown 
y, from previous protocol runs). Distinguishing this would violate the Diffie- 
Hellman assumption. D 

Lemma 3.4 (indistinguishability to eavesdroppers). Let i,j ^ A. Then 
the adversary A cannot determine whether i £ G or i ^ G with non- negligible 
probability. This holds even if A £ G. 



Proof. Similar to the proof of the previous lemma. 



D 



Lemma 3.5 (unlinkability). Adversary A is unable to distinguish a protocol 
run involving node i from a protocol run involving a node j ^ i with Qj ~ Qi, 
even when Qj[ = Qi and A participates in the protocol runs. 

Proof. Nodes i and j share the same state. Hence all messages sent by i could 
have been sent by j as well. D 
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Lemma 3.6 (forward repudiability) . After the run, node i cannot convince 
another node k whether j ^ G or not. 

Proof. Because i is a member of G, it can construct a valid protocol run between 
i and j all by himself, without j participating at all. D 

4 Arbitrary membership protocols 

It is possible to use the single membership protocol to determine all groups of 
which both Alice and Bob are a member, by running the previous protocol for 
all candidate pairs separately. However, if Alice is a member of a groups and 
Bob is a member of b groups, this requires ax b message exchanges (and more if 
the number of groups one is a member of should not be revealed). In this section 
we describe a more efficient protocol (see Protocol 2), which does not provide 
traitor tracing. 

Suppose each user can be a member of at most m groups. Each group is 
identified by a group secret (which, essentially, is a random value). Each user 
A that is a member of a group stores its group secret in an array sa[]- Any 
remaining cells in the array are filled with random values (not corresponding to 
groups). The array is randomly permuted after initialisation^. After establishing 
a shared secret session key k using a Diffie-Hellman key exchange, Alice and Bob 
exchange keyed hashes hk and /ij. of each group secret. Real implementations 
should use HMAC [BCK9C]. Alice stores the hashes it receives in a set Hb, looks 
for entries in sa[] whose hash occurs in Hb, and adds those as common group 
members to Ga- 

Note that Alice needs to use a hash function different from the one used 
by Bob, in order to avoid detection of shared membership by eavesdroppers. If 
Alice wishes not to reveal membership of certain groups, she can replace the 
corresponding group secret with a random value. However, Bob cannot avoid re- 
vealing his membership of those groups (unless he decides to do so independently 
from Alice). 

4.1 Security proof 

The following lemmas prove that protocol 2 implements private handshaking 
for multiple group. We sketch the proofs of the lemmas. Consider an arbitrary 
run between two nodes i and j, belonging to groups Qi and Qj where i returns 
output Oi and j returns output Oj (where we treat the group secrets Si[x] to 
represent their respective groups) . Let A be an arbitrary adversary, and let G be 
an arbitrary group. A property holds with overwhelming probability if it holds 
with probability larger than 1 — 1/2°', where a is the security parameter. It holds 
with negligible probability if the probability is less than 1/2°'. 



If not. Bob might be able to infer the number of groups of which Alice is a member 
from the fact that the a;-th token happens to coincide with a group lie himself is a 
member of. 
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Alice Bob 

generator g generator g 

group secrets Sa[l, . • • , m] group secrets S(,[l, . . . , m] 

(randomly permuted) (randomly permuted) 



Exchange 



pick random x pick random y 

> receive v 

receive u < 



k ■- hiu"") k ■- hiv^) 



Group membership 



receive into Hi 



b 



fafc(3a[0]),...,fafc(ga[m]) 
/l'fc(si,[0]),...,^(s(,[m]) 



receive into Ha 



Oa = {sa[{\ I h'^{aa[i\) G Hb} a = {sb[i\ 1 hk{sb\i]) G Ha} 

Fig. 2. Message flow of the generalised private handshaking protocol. 



Lemma 4.1 (correctness/safety). Oi,0.j C QiDQj with overwhelming prob- 
ability. 

Proof. Clearly Oi C Qi. If x S d then also h'i.[x] G Hj. Hence h',^{x) = z for 
some z received in the second phase of the protocol. If z is not sent by j, then 
k is unknown to the adversary. Hence the chances that h!^(x) = z are negligible. 
If z is sent by j then z = h!-^{^Sj\y\) for some y. This happens with overwhelming 
probability if x ~ .Sj [y] and hence x G Gj. D 

Lemma 4.2 (progress). // i and j are honest and all messages exchanged 
between them during the run are delivered unaltered, then Oi = Oj = Gi r\ Gj ■ 

Proof. This is easily verified by case analysis. D 

Lemma 4.3 (resistance to detection). Let j € A but A ^ G. Then the 
adversary A cannot distinguish a protocol run in which it interacts with a node 
i ^ G from a run involving a simulator with non-negligible probability. 

Proof. Since j G A., the adversary does know the shared session key k derived 
using the Diffie-Hellman key exchange. However, since „4 ^ G, it does not know 
the secret Si[x] for group G. Hence it cannot tell whether hk{si[x]) and hk'{si[x]) 
are hashes for the same group exchanged during different sessions, or if these 
hashes correspond to different groups. This holds even if the adversary knows k' 
for the other session as well. D 

Lemma 4.4 (indistinguishability to eavesdroppers). Let i,j ^ A. Then 
the adversary A cannot determine whether i £ G or i i^ G with non-negligible 
probability. This holds even if A £ G. 
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Proof. If i,j ^ A, then the adversary does not know the shared session key A; 
derived using the Diffie-HeUnian key exchange. With a fresh, unknown, random 
key fc, the keyed hash value hk{si[x]) corresponding to the secret for group G is 
indistinguishable from a random value, even if the adversary knows Si[x]. D 

Lemma 4.5 (unlinkability). Adversary A is unable to distinguish a protocol 
run involving node i from a protocol run involving a node j ^ i with Qj ~ Qi, 
even when Qj\^ — Qi and A participates in the protocol runs. 

Proof. Nodes i and j share the same state. Hence all messages sent by i could 
have been sent by j as well. D 

Lemma 4.6 (forward repudiability) . After the run, node i cannot convince 
another node k whether j ^ G or not. 

Proof. Because i is a member of G, it can construct a valid protocol run between 
i and j all by himself, without j participating at all. D 

5 Conclusions 

We have presented two efficient protocols for secret handshaking. The second 
protocol efficiently supports membership of more than one group. The focus in 
this work is the efficiency of the protocols. They use only a few, quite simple, 
operations. This may allow the implementation of these protocols on resource 
constrained devices, like perhaps higher-end RFID tags. It is especially in these 
kinds of environments that a form of mutual authentication is required to provide 
a certain level of security and/or privacy. 

Our protocols do not allow for easy revocation of group membership: all 
remaining members need to be given a new, fresh, group secret. More efficient 
ways to support group membership revocation are an interesting topic for further 
research, especially given the requirement that the resulting protocols should still 
be efficient and should not allow a group adminstrator to trace users. We also 
wish to develop more formal proofs for the security of our protocols. 

Two other possible extensions of the basic pairwise private handshake are 
left for further investigation. First of all, one could consider a private group 
handshake where a subgroup of a secret group can recognise membership of 
the same group simultaneously (e.g., when setting up a meeting). Secondly, one 
could create password based private handshakes by using the original idea of 
Jablon [.laldXi] based on a passkey shared by the members of the group. 

We thank Flavio D. Garcia, David Galindo and Berry Schoenmakers for fruit- 
ful discussions on this topic, and the anonymous referees for their very insightful 
comments and suggestions. 
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